On Wed, Apr 17, 2002 at 12:28:37PM -0700, Rick Klement wrote: > There's already a %dispatch set up for you by perl...
I'd have used it but it just fell into the gaping security hole. A recent Phrack article pointed out that one of the SOAP/RPC/XML modules was doing this: $soap->$tainted_method_name(@args); where $tainted_method_name was derived from the Outside World. Because it wasn't doing any checking one could remotely pass in something like: I::want::you::to::call::this::method::instead and it would. Because the method name is absolute it would work. As long as the method in question doesn't look at it's arguments (as below) it will run fine. It just so happens that there was a method which granted authorization which didn't use it's arguments. Ergo, security hole. Yes, there are plans to make symbolic refs and dynamic method calls taint check in 5.8.1. > while( $vData =~ /\[([A-Z])\]/g ) { > my $vSub = ucfirst lc $1; > main->$vSub(); ^^^^^^^^^^^^^^ that's a method call which will cause problems if the subroutine looks at it's arguments. It'll see "main" as the first one. no strict 'refs'; &$vSub; instead. > } -- Michael G. Schwern <[EMAIL PROTECTED]> http://www.pobox.com/~schwern/ Perl Quality Assurance <[EMAIL PROTECTED]> Kwalitee Is Job One 4 WHEREAS, the siren song of payola issuing from the discordant calliopes of these gambling vessels has led thousands of Kentucky citizens to vast disappointment and woe; -- Kentucky Legislature, HR 256